diff --git a/examples/client/client.c b/examples/client/client.c index 84d65496c..c0601e323 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -978,7 +978,9 @@ static const char* client_usage_msg[][59] = { #endif "-B Benchmark throughput" " using bytes and print stats\n", /* 15 */ +#ifndef NO_PSK "-s Use pre Shared keys\n", /* 16 */ +#endif "-d Disable peer checks\n", /* 17 */ "-D Override Date Errors example\n", /* 18 */ "-e List Every cipher suite available, \n", /* 19 */ @@ -1138,7 +1140,9 @@ static const char* client_usage_msg[][59] = { #endif "-B バイトを用いてのベンチマーク・スループット測定" "と結果を出力する\n", /* 15 */ +#ifndef NO_PSK "-s 事前共有鍵を使用する\n", /* 16 */ +#endif "-d ピア確認を無効とする\n", /* 17 */ "-D 日付エラー用コールバック例の上書きを行う\n", /* 18 */ "-e 利用可能な全ての暗号スイートをリスト, \n", /* 19 */ diff --git a/scripts/tls13.test b/scripts/tls13.test index 66942b9c2..f9dea890f 100755 --- a/scripts/tls13.test +++ b/scripts/tls13.test @@ -15,6 +15,10 @@ counter=0 # per source tree ready_file=`pwd`/wolfssl_tls13_ready$$ client_file=`pwd`/wolfssl_tls13_client$$ +# Server output +server_out_file=`pwd`/wolfssl_tls13_server_out$$ +# Client output +client_out_file=`pwd`/wolfssl_tls13_client_out$$ echo "ready file $ready_file" @@ -53,12 +57,21 @@ do_cleanup() { then echo "killing server" kill -9 $server_pid + server_pid=$no_pid fi remove_ready_file if [ -e $client_file ]; then echo -e "removing existing client file" rm $client_file fi + if [ -e $server_out_file ]; then + echo -e "removing existing server output file" + rm $server_out_file + fi + if [ -e $client_out_file ]; then + echo -e "removing existing client output file" + rm $client_out_file + fi } do_trap() { @@ -106,6 +119,7 @@ RESULT=$? remove_ready_file if [ $RESULT -eq 0 ]; then echo -e "\n\nIssue with mismatched TLS v1.3 cipher suites" + do_cleanup exit 1 fi do_cleanup @@ -124,12 +138,14 @@ if [ $? -ne 0 ]; then remove_ready_file if [ $RESULT -eq 0 ]; then echo -e "\n\nIssue with requiring mutual authentication" + do_cleanup exit 1 fi do_cleanup echo "" fi +# Check for TLS 1.2 support ./examples/client/client -v 3 2>&1 | grep -- 'Bad SSL version' if [ $? -ne 0 ]; then # TLS 1.3 server / TLS 1.2 client. @@ -143,6 +159,7 @@ if [ $? -ne 0 ]; then remove_ready_file if [ $RESULT -eq 0 ]; then echo -e "\n\nIssue with TLS v1.3 server downgrading to TLS v1.2" + do_cleanup exit 1 fi do_cleanup @@ -159,6 +176,7 @@ if [ $? -ne 0 ]; then remove_ready_file if [ $RESULT -eq 0 ]; then echo -e "\n\nIssue with TLS v1.3 client upgrading server to TLS v1.3" + do_cleanup exit 1 fi do_cleanup @@ -189,6 +207,7 @@ if [ $? -ne 0 ]; then remove_ready_file if [ $RESULT -eq 0 ]; then echo -e "\n\nTLS v1.3 downgrading to TLS v1.2 due to ciphers" + do_cleanup exit 1 fi do_cleanup @@ -198,6 +217,65 @@ if [ $? -ne 0 ]; then fi fi +# Check for EarlyData support +./examples/client/client -? 2>&1 | grep -- 'Early data' +if [ $? -eq 0 ]; then + early_data=yes +fi +./examples/client/client -? 2>&1 | grep -- 'Shared keys' +if [ $? -eq 0 ]; then + psk=yes +fi + +if [ "$early_data" = "yes" ]; then + echo -e "\n\nTLS v1.3 Early Data - session ticket" + port=0 + (./examples/server/server -v 4 -r -0 -R $ready_file -p $port 2>&1 | \ + tee $server_out_file) & + server_pid=$! + create_port + ./examples/client/client -v 4 -r -0 -p $port 2>&1 >$client_out_file + RESULT=$? + cat $client_out_file + remove_ready_file + grep 'Session Ticket' $client_out_file + session_ticket=$? + early_data_cnt=`grep 'Early Data' $server_out_file | wc -l` + if [ $session_ticket -eq 0 -a $early_data_cnt -ne 2 ]; then + RESULT=1 + fi + if [ $RESULT -ne 0 ]; then + echo -e "\n\nIssue with TLS v1.3 Early DAta - session ticket" + do_cleanup + exit 1 + fi + do_cleanup + echo "" +fi + +if [ "$early_data" = "yes" -a "$psk" = "yes" ]; then + echo -e "\n\nTLS v1.3 Early Data - PSK" + port=0 + (./examples/server/server -v 4 -s -0 -R $ready_file -p $port 2>&1 | \ + tee $server_out_file) & + server_pid=$! + create_port + ./examples/client/client -v 4 -s -0 -p $port + RESULT=$? + remove_ready_file + early_data_cnt=`grep 'Early Data' $server_out_file | wc -l` + if [ $early_data_cnt -ne 2 ]; then + RESULT=1 + fi + if [ $RESULT -ne 0 ]; then + echo -e "\n\nIssue with TLS v1.3 Early DAta - session ticket" + do_cleanup + exit 1 + fi +else + echo "Early data not available" +fi + do_cleanup echo -e "\nALL Tests Passed" diff --git a/src/internal.c b/src/internal.c index 69e6a3ef1..4824ba89e 100644 --- a/src/internal.c +++ b/src/internal.c @@ -14507,18 +14507,31 @@ int DoApplicationData(WOLFSSL* ssl, byte* input, word32* inOutIdx) #ifdef WOLFSSL_EARLY_DATA if (ssl->options.tls1_3 && ssl->options.handShakeDone == 0) { - if (ssl->options.side == WOLFSSL_SERVER_END && - ssl->earlyData != no_early_data && - ssl->options.clientState < CLIENT_FINISHED_COMPLETE) { + int process = 0; + + if (ssl->options.side == WOLFSSL_SERVER_END) { ssl->earlyDataSz += ssl->curSize; - if (ssl->earlyDataSz <= ssl->options.maxEarlyDataSz) { + if ((ssl->earlyData != no_early_data) && + (ssl->options.clientState == CLIENT_HELLO_COMPLETE)) { + process = 1; + } + if (!process && (ssl->earlyDataSz <= ssl->options.maxEarlyDataSz)) { WOLFSSL_MSG("Ignoring EarlyData!"); *inOutIdx = ssl->buffers.inputBuffer.length; return 0; } - WOLFSSL_MSG("Too much EarlyData!"); + if (ssl->earlyDataSz > ssl->options.maxEarlyDataSz) { + WOLFSSL_MSG("Too much EarlyData!"); + process = 0; + } + } + if (!process) { + WOLFSSL_MSG("Received App data before a handshake completed"); + SendAlert(ssl, alert_fatal, unexpected_message); + return OUT_OF_ORDER_E; } } + else #endif if (ssl->options.handShakeDone == 0) { WOLFSSL_MSG("Received App data before a handshake completed");